overview of the sponge duplex and farfalle constructions
play

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van - PowerPoint PPT Presentation

Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics Summer school on real-world crypto and privacy ibenik, Croatia, June 2019 Based on joint work with Elena Andreeva, Guido Bertoni, Joan Daemen,


  1. Overview of the Sponge, Duplex and Farfalle constructions Gilles Van Assche 1 1 STMicroelectronics Summer school on real-world crypto and privacy Šibenik, Croatia, June 2019 Based on joint work with Elena Andreeva, Guido Bertoni, Joan Daemen, Seth Hoffert, Bart Mennink, Michaël Peeters, Ronny Van Keer 1 / 59

  2. Outline The duplex construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The sponge construction 1 Unkeyed applications 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 2 / 59

  3. Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Outline 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 3 / 59

  4. Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Hashing requirements 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 Outline 4 / 59

  5. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  6. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  7. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  8. Security notions for hashing Hashing requirements … Applications 5 / 59 Cryptographic hash functions h : { 0 , 1 } ∗ → { 0 , 1 } n I n p u t me s s a g e D i g e s t Signatures : sign RSA ( h ( M )) instead of sign RSA ( M ) Key derivation : master key K to derived keys ( K i = h ( K ∥ i )) Bit commitment , predictions : h ( what I know ) Message authentication : h ( K ∥ M )

  9. Security notions for hashing Hashing requirements Generalized: extendable output function (XOF) “XOF: a function in which the output can be extended to any length. ” [Ray Perlner, SHA-3 workshop 2014] Applications Signatures : full-domain hashing, mask generating function Key derivation : as many/long derived keys as needed 6 / 59 h : { 0 , 1 } ∗ → { 0 , 1 } ∗ Stream cipher : C = P ⊕ h ( K ∥ nonce )

  10. Security notions for hashing Hashing requirements Modern security requirements Hash or XOF h with n -bit output Modern security requirements h behaves like a random mapping … up to security strength s Classical security requirements, derived from it Preimage resistance Second-preimage resistance Collision resistance 7 / 59 2 min ( n , s ) 2 min ( n , s ) 2 min ( n / 2 , s )

  11. Security notions for hashing The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Modern generic security 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 Outline 8 / 59

  12. Security notions for hashing Modern generic security Generic security: indistinguishability 9 / 59 Adversary D must tell apart the ideal function: a monolithic random oracle RO construction S [ F ] calling an ideal primitive F Express Pr ( success |D ) as a function of total cost of queries N Problem: in real world, F is available to adversary

  13. Security notions for hashing Modern generic security Generic security: indistinguishability 9 / 59 Adversary D must tell apart the ideal function: a monolithic random oracle RO construction S [ F ] calling an ideal primitive F Express Pr ( success |D ) as a function of total cost of queries N Problem: in real world, F is available to adversary

  14. Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] Applied to hash functions in [Coron et al. (2005)] additional interface, covered by a simulator at right 10 / 59 distinguishing mode-of-use from ideal function ( RO ) covers adversary with access to primitive F at left

  15. Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] Methodology: 10 / 59 build P that makes left/right distinguishing diffjcult prove bound for advantage given this simulator P P may query RO for acting S -consistently: P [ RO ]

  16. Security notions for hashing Modern generic security Generic security: indifferentiability [Maurer et al. (2004)] 10 / 59 � D RO , P [ RO ] )� ( D S [ F ] , F ) ( Adv ( q ) = − Pr � ≤ ϵ ( q ) � � � Pr

  17. Security notions for hashing Modern generic security Consequences of indifferentiability do pre-image attack Can be generalized to any attack 11 / 59 Let D : n -bit output pre-image attack. Success probability: for random oracle: P pre ( D|RO ) = q 2 − n for our construction: P pre ( D|S [ F ]) = ? A distinguisher D with Adv ( q ) = P pre ( D|S [ F ]) − P pre ( D|RO ) if success, conclude our construction; otherwise, RO But we have a proven bound Adv ( q ) ≤ ϵ ( q ) , so P pre ( D|S [ F ]) ≤ P pre ( D|RO ) + ϵ ( q )

  18. Security notions for hashing Modern generic security Consequences of indifferentiability [Andreeva, Mennink, Preneel, ISC 2010] 12 / 59

  19. Security notions for hashing Modern generic security Limitations of indifferentiability Only about the mode No security proof with a concrete primitive Only about single-stage games [Ristenpart et al., Eurocrypt 2011] Example: hash-based storage auditing 13 / 59 Z = h ( File ∥ C )

  20. Security notions for hashing Modern generic security Limitations of indifferentiability Only about the mode No security proof with a concrete primitive Only about single-stage games [Ristenpart et al., Eurocrypt 2011] Example: hash-based storage auditing 13 / 59 Z = h ( File ∥ C )

  21. Why permutation-based cryptography? The sponge construction Deck functions and modes Farfalle The full-state keyed duplex construction The outer keyed sponge and duplex constructions Keyed applications 4 The duplex construction Unkeyed applications Outline 3 Why permutation-based cryptography? 2 Modern generic security Hashing requirements Security notions for hashing 1 14 / 59

  22. Why permutation-based cryptography? Symmetric crypto: what textbooks and intro’s say Symmetric cryptography primitives: Block ciphers Key stream generators Hash functions And their modes-of-use Picture by GlasgowAmateur 15 / 59

  23. Why permutation-based cryptography? The truth about symmetric crypto today Block ciphers: 16 / 59

  24. Why permutation-based cryptography? What block cipher are used for Hashing (Davies-Meyer) and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … 17 / 59

  25. Why permutation-based cryptography? Block cipher operation 18 / 59

  26. Why permutation-based cryptography? Block cipher operation: the inverse 19 / 59

  27. Why permutation-based cryptography? When do you need the inverse? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … Most schemes with misuse-resistant claims So for most uses you don’t need the inverse! 20 / 59

  28. Why permutation-based cryptography? Block cipher internals 21 / 59

  29. Why permutation-based cryptography? Davies-Meyer compression function 22 / 59

  30. Why permutation-based cryptography? Removing restrictions not required in hashing 23 / 59

  31. Why permutation-based cryptography? Simplifying the view: iterated permutation 24 / 59

  32. Why permutation-based cryptography? Designing a permutation Remaining problem: design of iterated permutation round function: good approaches known asymmetry: round constants Advantages with respect to block ciphers: no more need for effjcient inverse no more worries about key schedule 25 / 59 less barriers ⇒ more diffusion

Recommend


More recommend